←back to thread

Show HN: Pangolin – Open source alternative to Cloudflare Tunnels

(github.com)
478 points miloschwartz | 5 comments | 10 Jul 25 21:50 UTC | HN request time: 0.886s | source

Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.

We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.

GitHub: https://github.com/fosrl/pangolin

Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install

Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723

Some use cases:

  - Grant users access to your apps from anywhere using just a web-browser

  - Proxy behind CGNAT

  - One application load balancer across multiple clouds and on-premises

  - Easily expose services on IoT and edge devices for field monitoring

  - Bring localhost online for easy access
A few key features:

  - No port forwarding and hide your public IP for self-hosting

  - Create proxies to multiple different private networks

  - OAuth2/OIDC identity providers

  - Role-based access control

  - Raw TCP and UDP support

  - Resource-specific pin codes, passwords, email OTP

  - Self-destructing shareable links

  - API for automation

  - WAF with CrowdSec and Geoblocking
Show context
noduerme ◴[11 Jul 25 02:29 UTC] No.44527896[source]
This seems really interesting for managing a lot of remote dev boxes or something like that...

so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?

replies(4): >>44527967 #>>44528323 #>>44529595 #>>44530525 #
mbesto ◴[11 Jul 25 04:13 UTC] No.44528323[source]
I use CF tunnels pretty extensively with my home unraid server.

The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.

It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.

replies(2): >>44528584 #>>44529015 #
jonotime ◴[11 Jul 25 05:08 UTC] No.44528584[source]
Out of curiosity why not give your sister restricted access to your tailnet instead? Then nothing is public.
replies(2): >>44529057 #>>44529659 #
1. noduerme ◴[11 Jul 25 08:30 UTC] No.44529659[source]
Tailscale and Plex do not play nicely, particularly since Plex implemented a bunch of shit to try to charge users for accessing their own files outside what it considers a local network. Switching to Jellyfin is on my maintenance list. It's very understandable that if you had given a family member access to your Plex server before this year and it "just worked" you might look now at Tailscale as a way to put them on your LAN and then decide that the complexity isn't worth it, given the hoops that Plex had apparently gone through to make that a non-viable option.

Fuck Plex, by the way. Good on them for building up and turning themselves into a streaming service of sorts. Add value and I'll pay for it. But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files? Seriously, they can go to hell. No one streaming movie files to their family is doing so because they love paying middle-men, by the way. And no core function of Plex can't be done freely.

replies(3): >>44530901 #>>44534457 #>>44538583 #
2. subscribed ◴[11 Jul 25 11:24 UTC] No.44530901[source]
To me, another huge no-no is the apparent lack of option to stop Plex from sending all the filenames to the mothership.
3. jonotime ◴[11 Jul 25 16:57 UTC] No.44534457[source]
Ah ok. Admittedly I dont host a media server so it sounds like Plex brings new challenges.

I would just prefer to not have to public expose a service for a single user. In my case when sharing an image server to family it has been easy enough to walk them through installing tailscale on their windows desktop that they use. I love adding friends and fam to my tailnet. It then also makes it easier to log in and troubleshoot their issues later too.

It looks like CFs solution for restricted public access is CF access controll, but thats still publicly exposed. Their non-public option is WARP, but that requires installation on the client machine. At that point your user setup is even harder then tailscale.

4. wredcoll ◴[12 Jul 25 01:42 UTC] No.44538583[source]
I don't want to defend plex too hard, but I was super confused by what you were talking about:

> But suddenly one day your free mobile viewer app updates and requires payment to stream your own mp4 files

I have a plex server that a dozen of my friends and family use and none of them have to pay a cent to access it.

Then after thinking about it a bit longer, I remembered that plex was making some kind of distinction about "members of a household", apparently called Plex Home [1].

I'm not sure what benefits you get from using it, since I haven't bothered trying to see what it needs to work.

Long story short, however, is if you just have your family members sign up for their own plex account, then add them to your plex server as a separate user, things will continue to Just Work and do so for free.

replies(1): >>44539634 #
5. noduerme ◴[12 Jul 25 05:46 UTC] No.44539634[source]
I haven't found this to be the case. I use the free plex server on Windows and MacOS, and connect to my home boxes from my phone. Prior to April 2025, I could stream on my phone from my Plex servers anytime. Since the last update, attempting to stream from any device that's not on the same LAN as the server pops up a window asking you to subscribe if you want to stream "remotely". This is even in cases where nothing is being sent through Plex's servers except for signaling data. It is only possible to stream over the internet for free now if you tunnel to that server, make it your tailscale exit node, and use the web app, not the mobile app.

I'm not sure what the deal is with Plex Home but maybe they grandfathered in some kinds of older accounts. At this point though, it no longer appears to be a free option to easily stream from your home server if you're setting it up fresh or have a regular account.